That is my current setup. We used to run our APs in WEP 40-bit, but I can't stand that any longer. Since I have upgraded to the setup listed above, we have had all kinds of problems with devices connecting.

The issues we are having are intermittent, and I have yet to find a pattern. If one Mac can connect, another cannot. One iPhone can connect, another cannot. PCs, Androids, so on and so forth.

Here are some things I have done to try to resolve this

Ensured that all users needing wireless are a member of the domain\wireless group (per NPS policy)

Ensured that all units are running the same firmware revision (as all are the exact same model)

Did a backup of the configuration on a unit that more people could acces, and restored to all other units (changing only the IP and the unit name).

Verified that devices which do connect with AD username/password are indeed able to access the internet and appropriate network resources

Any troubleshooting suggestions, and generally sage advice, would be much appreciated.

We tried it, and we were unable to connect with some, able with others. This is baffling me. If we throw it to WEP encryption, or open it wide, we can get on.

I have compared users, but one of my guys was able to connect with his phone using his own username and password, and he was able to connect with his phone using one of the administrators' username and password. However, when he grabs that Admin's phone, he cannot connect with his own username/password, or the admin's.

Further troubleshooting would be great, but I would also entertain suggestions toward other solutions.

I've combed the event logs, and I've looked at the RADIUS accounting logs. The only errors in the event log are where I had forgotten to create a RADIUS client for one of the APs. Everything else is just a log of successful connections.

If you can't see failures when the clients are failing that means the AP isn't passing the authentication request to the RADIUS server. That could be for a number of reasons.

If you see this across all your APs I would pick one AP where it is causing you a problem and stick a different version of firmware on it. If that doesn't make a difference it's probably not a firmware or AP issue.

What does your network look like? Is it using VLANs? If so, are the APs on the same VLAN as the NPS server?

It is more random, actually. And, there is no real pattern I've been able to discern. I have on guy who can connect with his iPhone in the library, but when he goes to the classroom building he can't connect. I have others that can't connect to any of them (I suspect that is an AD config thing) but, there is nobody who can connect to all of them.

I have made sure they were all on the same firmware, and have the exact same config, except the IP address and hostname are different. Otherwise, the SSID is the same, and all are lower-case.

Edit Note:
I have since moved them all to WPA2-PSK and I am not having any issues with people connecting.

I'm almost convinced that Engenius units just can't handle the enterprise authentication properly.

I don't think the APs are passing authentication requests to the NPS server properly. It may just be a firmware thing though so it's worth trying different versions of firmware on one AP just to rule it out.

We just finished some testing today on the wireles units today. I moved them all back to WPA2-PSK and everyone can connect without issues.

I setup a Cisco Airo 12xx with RADIUS and I can connect all the devices I've tried using the network username and password (so far). One exception is the occasional iPhone or iPad. Not sure why Cisco doesn't like them, but I've run into this before with Cisco WAPs.

Otherwise, I'm going to say the problem is solved!

Thank you for the contributions.

0

Featured Post

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.

This Micro Tutorial will show you how to maximize your wireless card to its maximum capability.
This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually.
After setting up a router, find the network security…